cvparser.io
Sign inGet API key
DemoAPIPricingChangelog
Sign inGet API key
โ† Back to home
โ€” security & trust

Built for HR data โ€” handled like it.

We process some of the most sensitive personal data on the planet: candidate CVs. Here's exactly how we keep them safe, and what we're audited against.

How we treat your data

๐Ÿ”’
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Customer data is encrypted with workspace-scoped keys; you can also bring your own KMS on Scale and above.
โŒ–
60-second file retention
Uploaded CVs are wiped from disk within 60 seconds of a successful parse. We retain only the structured JSON output for 30 days (12 months on Scale) for retrieval via the API.
โฌš
EU & UK data residency
Default region is eu-west-2 (London). Pin processing to eu-west, uk-south, or us-east-1 on Scale. We never move customer data across regions for our own purposes.
โ—
No training on your data
Customer CVs and parses are never used to train, fine-tune, or evaluate our models. Period โ€” including by our LLM sub-processors.
โ–ฃ
RBAC + audit logs
Workspaces support owner / admin / developer / viewer roles. Every API key issuance, rotation, and revocation is logged with actor, IP, and timestamp.
โ†ป
Quarterly key rotation
We rotate workspace signing secrets and internal credentials quarterly. Old secrets stay valid for 30 days to give you a graceful migration window.

Compliance

GDPR
Compliant2018+
UK DPA 2018
Compliant2018+
SOC 2 Type II
In progressAudit Q3 2026
ISO 27001
RoadmapQ2 2027
HIPAA
Not applicableโ€”

We sign DPAs on request โ€” including Standard Contractual Clauses for non-EEA transfers and BSI-aligned schedules. Email security@cvparser.io.

Infrastructure

Hosting
AWS โ€” eu-west-2 (London) primary, eu-west-1 (Dublin) DR.
Compute
Kubernetes on EKS, hardened workers, pod-level isolation.
Storage
S3 with bucket-level encryption + KMS. Daily integrity scrubs.
Networking
WAF + DDoS shield. VPC-isolated. No public DB endpoints.
Secrets
AWS Secrets Manager, IAM roles for service auth, no long-lived creds.
Monitoring
Datadog SIEM + alerting. On-call 24/7. 8-min mean response to P1.

Incident response & disclosure

We commit to a 24-hour breach notification window. If you've found a vulnerability, please email security@cvparser.io directly, or use our PGP key 7C4A 8B19 .... We run a private bug bounty on HackerOne; reach out for an invite.

Need our SIG or full security questionnaire?
We have current SIG Lite and CAIQ-Lite responses ready to share under NDA.
Request docs โ†’